With computers under siege, cyber insurance rides to the rescue

Introduction

Cyber risk insurance is a recently developed product. Like other new forms of coverage, it presents insurance product managers with challenges, as they learn what their insureds need and what the carriers can prudently cover. Most carriers are convinced that their best opportunity to sell cyber-risk coverage is to mainstream companies that have significant online exposures. Many of these prospects already are purchasing other forms of coverage from the carriers. Specific opportunities are recognized by Chubb, St. Paul Travelers and Zurich, which have created special cyber-risk products for financial institutions. More industry-focused products are anticipated as this product line grows and competition increases.

Some carriers' approach to the cyber-risk exposure is to offer coverage as an enhancement to their property or general liability coverages for mainstream insureds. For instance, Toby Levy, of The Hartford's Technology Group, calls the carrier's product an alternative to stand-alone products that is designed for companies that use the Internet as a complement to their traditional brick-and-mortar operations (i.e. not "dot-coms").

The Hartford, says Levy, "adds coverage to its standard general liability and property forms for certain cyber risks. For qualifying accounts, coverage is added to the general liability and property forms for certain cyber risks. For qualifying accounts, coverage is added to the general liability form for personal and advertising injury offenses arising from the insured's Web site activities. Coverage applies to all Web site content, not just those portions of the Web site that are deemed to be an advertisement. In addition, electronic vandalism is added as a covered peril to the property form. This additional coverage applies to damage to computer equipment, media and data arising from hackers, viruses and other forms of malicious code. Coverage also extends to business income losses, if purchased, arising from the electronic vandalism peril."

Cyber-risk insurance comes in a variety of forms, but we find it most helpful to divide coverage into property, theft or liability. Some carriers offer liability-only products, while others offer a combination of property, theft and liability coverage.

State of the market

Company sales data for cyber-risk insurance is hard to come by, but in reviewing the market, we have concluded that the annual gross written premium is $300 million to $350 million, up $50 million from our estimate in last year's report. As one knowledgeable product manager said, cyber-risk coverage is still a new product line and will take a few years to penetrate the marketplace.

It seems odd that with the growth of online commerce, there hasn't been more demand for these products. As e-commerce businesses–and especially their agents and advisers–become more knowledgeable about cyber-risk products, this market segment could grow dramatically. Carriers contacted for this report expressed increasing interest in the product and report that reinsurers are favorably inclined to it.

Rates for cyber-risk insurance, like most forms of commercial insurance, are definitely softening. Most carriers say they plan to hold rates flat, or within a range of -10% to +10%. We've also heard, however, that some carriers may reduce rates to attract new insureds into the cyber-risk market.

Carriers no longer appear to be increasing retentions or deductibles, as they were a few years ago. Even marginal insureds should be able to renew with the same retention or deductible as in 2005. There are no reports of widespread decreases, although individual insureds may experience them.

Significant liability-limits capacity continues to be available. Chubb (for the liability portion of its P&C product) will entertain limits up to $50 million, while ACE (for its Digital Technology product), AIG, Chubb (for its financial institutions products), and St. Paul Travelers have $25 million capacity in house. In regard to first-party coverage, limits range from $1 million to $15 million. Several carriers can secure limits above those indicated when necessary. For instance, AIG indicated additional liability-limits placement capability of $50 million (for a total of $75 million).

Carriers do not seem to require assessments of prospect's security procedures as much as they used to. Typically, but not always, any required assessment is free to the applicant. Such an assessment can be useful to applicants, even if they do not buy the coverage. If they do, a favorable assessment should help lower the insured's premium. Security assessments are much more often required when purchasing first-party coverage than third-party. Also, requirements vary with the nature of an insured's business. Some assessments are as simple as a review of an applicant's Web site, while others require an onsite review by third parties.

Coverage particulars

First-party coverage: First-party coverage protection against denial of Web services (hacker attacks) is still a hot topic, due to continuing attacks on leading Internet sites. Most property products cover this risk, although subject to negotiation and individual underwriting. Theft exposures are sometimes not well understood. The potential for traditional theft of money or goods via the Internet is often recognized; but theft or destruction of data, extortion, and theft of computing resources sometimes are not.

Terrorism coverage: Coverage mandated under the federal Terrorism Risk Insurance Act extends the base policy form by eliminating terrorism-related exclusions, but only for foreign-sourced, certified acts. This leaves domestic and non-certified acts excluded from non-specialized policies.

Identity theft: Various forms of identity theft, especially "phishing" and "pharming" have become a great concern over the past two years. One anti-phishing working group offers the following description of this exposure:

"Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial-account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit Web sites designed to trick recipients into divulging financial data, such as credit-card numbers, account user names, passwords and Social Security numbers. (By) hijacking brand names of banks, e-retailers and credit-card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware into PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."

Carriers don't generally address these exposures specifically (either in terms of affirmative coverage or exclusions) but will look to the coverage terms relating to breach of security and unauthorized access to determine coverage. St. Paul Travelers has a specific coverage for "identity fraud theft." The carrier's Identity Fraud Expense Coverage Master Policy provides expense reimbursement for a covered individual's efforts to restore financial health and credit history following identity theft. A company purchases a master policy to extend benefits to a particular group of individuals–e.g., customers, employees or affinity program members. Euclid Manager's product offers coverage for failure to prevent identity theft or credit/debit card fraud. Although these two products specifically address identity theft exposures, readers should not assume that others do not. Still, we think the more affirmative coverage will be attractive to prospects.

We asked Anne DeVries, of Digital Risk Managers, about coverage for ID theft and phishing under its "WebNet Policy." She told us:

"For ID theft and phishing, both are addressed in our form under network liability, in that we would cover liability of the insured entity if electronic information assets were accessed/stolen, etc., from their system by an unauthorized individual or an authorized user who used the system in an unauthorized manner. Phishing is a difficult one to tackle, since the insured entity is as much a victim as their customer whose information was "phished." However, if someone gains access to the insured system using a valid ID and password that were obtained via phishing, any third-party financial loss arising from that unauthorized access/use would be covered under WebNet."

Carriers are broadening their offerings to protect insureds against liabilities arising out of lawsuits alleging breach of privacy and release of information. This exposure has been much in the headlines lately, and it creates serious risk of loss to the parties held responsible. A number of the carriers surveyed for this report offer specific coverage related to improper release or theft of confidential information.

Other policy particulars

Definitions: The definition of an insured differs on many policies. Many carriers do not automatically include subcontractors as insureds, although insureds usually can add them via endorsement. The definition of a claim also varies significantly, with some carriers going to great lengths to define a claim, and others using wording such as "a demand seeking damages."

Claims reporting, ERP options, and counsel: Each liability policy reviewed for this report is a claims-made form (Chubb's product for financial institutions is a loss-reported form), so extended reporting period options are important. Several markets contacted for this report offer free, automatic 60-day extended reporting periods; longer periods, generally up to three years–and in at least one case, unlimited–are available for additional premium.

Selection of counsel continues to be a delicate issue with insureds; but as we frequently see in other new lines of coverage, carriers typically reserve the right to select, or at least approve, counsel. AIG offers an optional "Choice of Counsel" form (insured chooses counsel). Several other markets allow the insured to select counsel, subject to carrier's approval, which will not be unreasonably withheld. As with all questions of counsel choice, we recommend that insureds reach agreement with their carriers in advance of any claims.

Generally, cyber-risk policies contain a "hammer clause." Such clauses require an insured who refuses to settle a claim for an amount acceptable to his or her insurer to absorb any ultimate costs exceeding the proposed settlement figure. "Soft" hammer clauses, which call for an insured and insurer to share costs exceeding a proposed settlement (and which one sometimes sees in employment practices and management liability products), so far have not shown up in cyber-risk polices.

Prior-acts coverage: All carriers surveyed for this report offer prior-acts coverage, with previous coverage sometimes required.

Territory: E-commerce is conducted worldwide, and one of the associated liability problems is that the legal standards of many countries differ from those of the United States. A widely reported case against a U.S. e-commerce portal was brought in Germany and was based on German legal standards. True worldwide coverage is important! It's available from all markets surveyed for this report, although in a few cases it must be added by endorsement.

Definition of covered services: All carriers define the services they cover, whether in "boilerplate" or on the declarations page. It's important that the definition match the insured's operations. Most carriers can adapt the language to meet the needs of a particular insured, but it is important to carefully craft that language. This is a part of the policy where we think omnibus wording is much needed, since the range of e-commerce activities can be vast and ever-changing. Optional endorsements are available, including manuscripted coverages for special requirements of insureds.

We have identified coverage for 11 specific exposures that may be, but are not always, included in a cyber-risk policy. These are:

oErrors & omissions.

oViruses.

oUnauthorized access.

oSecurity breach.

oPersonal injury.

oAdvertising injury.

oLoss of use.

oResulting business interruption.

oCopyright infringement.

oTrade or service mark infringement.

oPatent infringement.

Insureds should review their exposures to such losses and select carriers that are willing to cover them. Coverage for patent infringement, for example, is rarely offered in basic cyber-risk forms, but can be purchased from several carriers as a separate intellectual property policy.

Risk management services: Carriers continue to augment the exposure identification and loss prevention services they offer. The task must be challenging, because the range of e-commerce activity is extensive, not lending itself to a "one-size-fits-all" approach. Among the risks management services offered by the markets surveyed for this report are network security reviews, handbooks on risk management for commercial Web sites, property assessments, disaster recovery services, emergency loss containment, forensic services in response to security breaches, the services of legal experts in e-commerce and intellectual property matters, and various online resources. Such services may or may not require an additional fee.

This article was derived from the June 2006 issue of The Betterley Report, which is published six times a year by Betterley Risk Consultants. The complete report, which contains charts showing the responses of individual insurers, can be purchased for $65. Annual subscriptions are available for $347. For more information, contact Richard Betterley, CMC, at (877) 422-3366 or at rbetterley@betterley.com.